“On July 7, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion entitled ‘“Fair Credit Reporting: Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.” The advisory opinion clarifies that “permissible purposes” under the Fair Credit Reporting Act (the “FCRA”) are “consumer specific” and highlights that a person who uses or obtains a “consumer report” is “strictly prohibit[ed]” from doing so without a permissible purpose under the FCRA. In the midst of ongoing Congressional efforts to pass a comprehensive federal data privacy law, the CFPB’s advisory opinion is a reminder of the existing rules that protect consumer privacy.
The FCRA creates a framework to protect the accuracy and privacy of “consumer report” information, which includes information “bearing on” a consumer’s “credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” and which is used or expected to be used for credit, employment, or insurance, among other purposes. The FCRA primarily regulates consumer reporting agencies (“CRAs”)—broadly defined to include any person or entity that regularly assembles or evaluates information about consumers for fees —in addition to those who use or obtain consumer reports (i.e., “users”), as well as those who supply information to CRAs (i.e., “furnishers”).
The CFPB’s advisory opinion emphasizes that the FCRA protects consumer privacy by “limiting the circumstances under which consumer reporting agencies may disclose consumer information”; specifically, by restricting disclosure of consumer report information only to persons whom the CRA has “reason to believe” have a statutory “permissible purpose” for obtaining such information. The CFPB now has formally clarified that this is a “consumer specific” requirement. Therefore, a CRA must have “reason to believe that all of the consumer report information” provided to a user “pertains to the consumer who is the subject of the user’s request.” Practically speaking, this means that CRAs must use caution when employing “name only matching” procedures, which can result in disclosure of consumer information pertaining to more than one individual with the same name and lead to a potential violation of the FCRA.
The advisory opinion also highlights requirements imposed on “users” of consumer reports—which includes any person or entity that requests a consumer report from a person or entity that meets the definition of a CRA. In relevant part, the FCRA section 604(f) provides that a “person shall not use or obtain a consumer report for any purpose unless (1) the consumer report is obtained for a purpose authorized to be furnished under this section; and (2) the purpose is certified in accordance with” the provisions of the FCRA through a “general or specific certification.” In the advisory opinion, the CFPB now clarifies that it is interpreting this requirement as a “strict” prohibition, rejecting the argument accepted by some courts that a user might not violate the FCRA if the user has a “reason to believe” that a permissible purpose applies. For example, the CFPB notes that a company may violate the FCRA if, when requesting consumer report information, it incorrectly selects the “wrong consumer from a list of possible consumers,” even if done so in error. The CFPB explains that this would “violate the FCRA’s permissible purpose provisions and the privacy of consumers that were the subject of those reports” while also “generating an inquiry on the consumer’s credit reports.”
The CFPB’s guidance demonstrates its focus on consumer privacy rights protected by the FCRA, and is a reminder to both CRAs, and users of consumer reports, to keep procedures in place to prevent the access or disclosure of information protected by the FCRA without a permissible purpose.”
Epstein Becker & Green, July 2022